A.3.4.2. Targets

Targets define what shall happen with the matched packet. The targets, similarly to the matches are extensions and also behave similarly. Targets can perform two actions:

  • modify some parameter of the packet/connections (for example, IP addresses, TOS bits, TTLs, MARKs), and

  • provide a verdict.

Note

Not every target has a verdict, meaning that the evaluation of a chain does not end with that matching rule. Remember, the evaluation is ended when a verdict is set, so it is necessary to know which target has a verdict, in other words which one is the final target.

For example, the TTL target, which modifies the TTL of the packet cannot ACCEPT it. For ACCEPT, another rule or a default policy is needed.

Another option for a target is to jump to another chain. In case of jumping to an other chain, the evaluation continues in the new chain. If the other chain is evaluated and no match occurs or no verdict is set, the evaluation continues in the original chain from the next rule after the jump.

The most commonly used targets are ACCEPT, DROP, REJECT, TOS, TTL, [DS]NAT and TPROXY.